CVE-2025-31489

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.

CVSS

No CVSS.

References

Link	Resource
https://github.com/minio/minio/pull/21103
https://github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh

Configurations

No configuration.

History

07 Apr 2025, 14:18

Type	Values Removed	Values Added
Summary		(es) MinIO es un almacenamiento de objetos de alto rendimiento publicado bajo la Licencia Pública General Affero GNU v3.0. El componente de firma de la autorización podría no ser válido, lo que significaría que, como cliente, podría usar cualquier secreto arbitrario para cargar objetos, siempre que el usuario ya tenga permisos de escritura en el bucket. Es necesario conocer previamente la clave de acceso y el nombre del bucket al que este usuario podría tener acceso, así como una clave de acceso con permisos de escritura. Sin embargo, con la información pertinente, cargar objetos aleatorios a los buckets es trivial y sencillo mediante curl. Este problema se solucionó en la versión RELEASE.2025-04-03T14-56-28Z.

03 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-03 20:15

Updated : 2025-04-07 14:18

NVD link : CVE-2025-31489

Mitre link : CVE-2025-31489

CVE.ORG link : CVE-2025-31489

JSON object : View

Products Affected

No product.

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2025-31489", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-03T20:15:25.897", "references": [{"url": "https://github.com/minio/minio/pull/21103", "source": "security-advisories@github.com"}, {"url": "https://github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access\nto - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z."}, {"lang": "es", "value": "MinIO es un almacenamiento de objetos de alto rendimiento publicado bajo la Licencia P\u00fablica General Affero GNU v3.0. El componente de firma de la autorizaci\u00f3n podr\u00eda no ser v\u00e1lido, lo que significar\u00eda que, como cliente, podr\u00eda usar cualquier secreto arbitrario para cargar objetos, siempre que el usuario ya tenga permisos de escritura en el bucket. Es necesario conocer previamente la clave de acceso y el nombre del bucket al que este usuario podr\u00eda tener acceso, as\u00ed como una clave de acceso con permisos de escritura. Sin embargo, con la informaci\u00f3n pertinente, cargar objetos aleatorios a los buckets es trivial y sencillo mediante curl. Este problema se solucion\u00f3 en la versi\u00f3n RELEASE.2025-04-03T14-56-28Z."}], "lastModified": "2025-04-07T14:18:34.453", "sourceIdentifier": "security-advisories@github.com"}